U.S. Federal Agencies Mandated to Adopt Post-Quantum Cryptography by 2030
In a significant move aimed at enhancing national security, U.S. federal agencies are required to complete their transition to post-quantum cryptography (PQC) by the year 2030, or by 2031 at the latest, depending on specific use cases. This directive was formalized in an executive order, signed by President Donald Trump on June 22, referred to as Executive Order 14409. Through this order, the Trump administration established essential requirements to accelerate the adoption of quantum-safe technologies.
The White House highlighted that the initiative aims to "safeguard America’s most sensitive data, our critical infrastructure, and the digital economy that drives jobs and growth.” The executive order outlines that all federal agencies are to transition their “high value assets” and “high impact systems” to utilize PQC for key establishment by December 31, 2030, and for digital signatures by December 31, 2031.
Key establishment involves key-encapsulation mechanisms (KEM), which comprise algorithms allowing two parties to create a shared secret key over a public channel. Meanwhile, digital signatures are standard algorithms employed to verify the authenticity of data and detect unauthorized modifications.
Additionally, the executive order mandates the U.S. Department of Commerce to initiate a pilot project for PQC migration, requiring completion by December 31, 2027.
Federal Push to Coordinate PQC Transition
The executive order goes beyond specifying deadlines. President Trump has assigned the Office of Management and Budget (OMB) and the U.S. National Cyber Director to spearhead an expedited national transition to PQC. Apart from this leadership role, the order encourages the State Department and other relevant agencies to assist critical infrastructure operators and international partners in adopting PQC standards.
Moreover, the executive order instructs multiple government entities, including the OMB, the Department of Defense, NASA, and the General Services Administration, to identify cost efficiencies within the migration strategy. The Federal Acquisition Regulatory Council is charged with ensuring that contractors comply with federal cybersecurity and vulnerability disclosure requirements by the end of 2030.
New Quantum Threats Prompt Urgent Security Priorities
The urgency behind this executive order is underscored by the increasing risk of “harvest now, decrypt later” attacks. In these scenarios, adversaries collect encrypted data with plans to decrypt it once quantum computing becomes sufficiently advanced—a situation referred to as “Q-Day.”
Laurent Leloup, Secretary General of the Global Quantum Threat Alliance (GQTA), emphasized that this executive order signals a systemic shift in national security priorities. He criticized the previous, more measured approach in favor of a fast-tracked integration of PQC, potentially disadvantaging organizations that opted for a slower, more diluted resilience strategy. Leloup urged critical sectors, particularly financial services, to immediately reevaluate their security architectures and adopt what is termed “crypto-agility,” or the capability to switch encryption algorithms rapidly without overhauling existing systems.
Gary Barlet, Public Sector CTO at Illumio, echoed similar sentiments. He stressed the importance of prioritizing immediate protection strategies for existing systems, research environments, and supply chains supporting quantum innovation. Barlet warned that malicious entities do not require a quantum computer to compromise sensitive quantum research, underscoring the need for visibility, segmentation, and breach containment strategies to avert broader national security threats.
Accelerating Industry Movements Towards Quantum-Safe Encryption
The private sector, too, is beginning to adapt to the burgeoning demands of post-quantum cryptography. Companies such as Google, Dell, and HP have already initiated efforts to transition to PQC over the forthcoming decade. Notably, Cloudflare has set a target for full PQC migration by the year 2029.
Recognizing the momentum building within private industry, the U.S. government aims to expedite this transition through a coordinated national strategy. This initiative is compounded by international pressures—as seen in France’s cybersecurity agency (ANSSI) announcing it will cease certifying products lacking quantum-safe encryption starting in 2027.
Billy McDiarmid, Vice President at cybersecurity firm Red Sift, pointed out that while substantial work is underway from government, industry, and academic sectors to speed up PQC transitions, the pace may not adequately counteract evolving risks. He argued that the deadline set for 2031 should not provide a false sense of security; organizations handling sensitive data must begin preparations against the pressing concern of a 2029-2031 transition window.
Lastly, it is crucial to recognize that transitioning to post-quantum cryptography encompasses more than merely adopting new algorithms. Organizations must ensure that all components—from certificates and keys to applications and cloud services—are fortified with quantum-safe encryption to adequately protect sensitive data in an evolving landscape of quantum threats.